code review request: 7109096: keytool -genkeypair needn't call -selfcert
Weijun Wang
weijun.wang at oracle.com
Tue Nov 8 08:29:06 UTC 2011
webrev updated at
http://cr.openjdk.java.net/~weijun/7109096/webrev.01/
This time JPRT tests jdk_security3 passes on all platforms.
Thanks
Max
On 11/08/2011 03:18 PM, Weijun Wang wrote:
> I only run tests on my Linux before posting the webrev. Then, in the
> pre-push JPRT run, it fails on all Solaris!
>
> Turns out that CertAndKeyGen has
>
> public X509Key getPublicKey()
> {
> if (!(publicKey instanceof X509Key)) {
> return null;
> }
> return (X509Key)publicKey;
> }
>
> So the public key, which I guess is a P11RSAPublicKey, is now null. I'll
> try to find a workaround.
>
> Thanks
> Max
>
>
> On 11/08/2011 11:19 AM, Xuelei Fan wrote:
>> Looks fine in general. Please make sure all regression tests are passed.
>>
>> Thanks,
>> Xuelei
>>
>> On 11/7/2011 7:34 PM, Weijun Wang wrote:
>>> Description:
>>>
>>> keytool uses CertAndKeyGen to generate a basic self-signed certificate
>>> with no extensions. When -ext option was introduced, -genkeypair was
>>> implemented as original -genkeypair plus -selfcert, and extensions info
>>> was added in the -selfcert step.
>>>
>>> This means the keystore object is modified twice in this single
>>> operation. In the case of PKCS11 or MSCAPI, it is actually written to
>>> the token twice. If a token can only be written once, the action will
>>> fail.
>>>
>>> Webrev:
>>>
>>> http://cr.openjdk.java.net/~weijun/7109096/webrev.00/
>>>
>>> No new regression test (noreg-cleanup).
>>>
>>> Note: NetBeans consolidates the multiple import lines in CertAndKeyGen
>>> into one. I'm not against that.
>>>
>>> Thanks
>>> Max
>>
More information about the security-dev
mailing list